Environment variables such as DATASOURCES_DEFAULT_HOST and DATASOURCES_DEFAULT_PORT should be quoted

[madser123]

After hours of debugging i can't find the error for this. Other than it might originate from the Deployment.yaml file in the repo, and not from my values.yaml...

I can see that a new release has been made recently, which is the only reason (And the fact that i have checked everything i know of on my end) that i suspect the error originates in the Chart, and not in my values.

Here is my (anonymized) values.yaml file:

# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

## Dependencies configuration parameters

## Redis dependency parameters

# -- Install redis as a depending chart
redisDependencyEnabled: true
# -- Install mariadb as a depending chart
mariadbDependencyEnabled: false # We don't want mariadb to be installed as a dependency
# -- Install mariadb as a depending chart
postgresqlDependencyEnabled: false # We don't want postgresql to be installed as a dependency

# Configure redis dependency chart
redis:
  auth:
    # -- Enable redis authentication
    enabled: true
    password: "REDIS_PASSWORD"
  sentinel:
    # -- Enable redis sentinel
    enabled: true

## Passbolt configuration

## Passbolt container and sidecar parameters
app:
  # -- Configure pasbolt deployment init container that waits for database
  databaseInitContainer:
    # -- Toggle pasbolt deployment init container that waits for database
    enabled: true

  # Allowed options: mariadb, mysql or postgresql
  database:
    kind: postgresql

  tls:
    # -- If autogenerate is true, the chart will generate a secret with a certificate for APP_FULL_BASE_URL hostname
    # -- if autogenerate is false, existingSecret should be filled with an existing tls kind secret name
    #@ignored
    autogenerate: false
    #existingSecret: ""

## Passbolt environment parameters

# -- Configure passbolt gpg directory
gpgPath: /etc/passbolt/gpg
# -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys.
gpgExistingSecret: "passbolt-gpg-secrets"

# -- Configure passbolt jwt directory
jwtPath: /etc/passbolt/jwt
# -- Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys.
jwtExistingSecret: "passbolt-jwt-secrets"

passboltEnv:
  plain:
    # -- Configure passbolt privacy url
    PASSBOLT_LEGAL_PRIVACYPOLICYURL: https://www.passbolt.com/privacy
    # -- Configure passbolt fullBaseUrl
    APP_FULL_BASE_URL: https://passbolt.local
    # -- Configure passbolt to force ssl
    PASSBOLT_SSL_FORCE: true
    # -- Toggle passbolt public registration
    PASSBOLT_REGISTRATION_PUBLIC: true
    # -- Configure passbolt cake cache server
    CACHE_CAKE_DEFAULT_SERVER: 127.0.0.1
    # -- Configure database host
    DATASOURCES_DEFAULT_HOST: URL
    # -- Configure database port
    DATASOURCES_DEFAULT_PORT: 5432
    # -- Configure passbolt default email service port
    EMAIL_TRANSPORT_DEFAULT_PORT: 587
    # -- Toggle passbolt debug mode
    DEBUG: false
    # -- Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint.
    PASSBOLT_KEY_EMAIL: passbolt@domain.dk
    # -- Toggle passbolt selenium mode
    PASSBOLT_SELENIUM_ACTIVE: false
    # -- Configure passbolt default email from
    EMAIL_DEFAULT_FROM: passbolt@domain.dk
    # -- Configure passbolt default email from name
    EMAIL_DEFAULT_FROM_NAME: Passbolt
    # -- Configure passbolt default email host
    EMAIL_TRANSPORT_DEFAULT_HOST: postfix.domain.dk
    # -- Configure passbolt default email timeout
    EMAIL_TRANSPORT_DEFAULT_TIMEOUT: 30
    # -- Toggle passbolt tls
    EMAIL_TRANSPORT_DEFAULT_TLS: true
    # -- Configure passbolt jwt private key path
    PASSBOLT_JWT_SERVER_KEY: /var/www/passbolt/config/jwt/jwt.key
    # -- Configure passbolt jwt public key path
    PASSBOLT_JWT_SERVER_PEM: /var/www/passbolt/config/jwt/jwt.pem
    # -- Toggle passbolt jwt authentication
    PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: true
    # -- Download Command for kubectl
    KUBECTL_DOWNLOAD_CMD: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
  secret:
    # -- Configure passbolt default database username
    DATASOURCES_DEFAULT_USERNAME: passbolt
    # -- Configure passbolt default database
    DATASOURCES_DEFAULT_DATABASE: passbolt
    # -- Configure passbolt default database-port
  # -- Environment variables to add to the passbolt pods
  #extraEnv: []
  # -- Environment variables from secrets or configmaps to add to the passbolt pods
  extraEnvFrom:
    - secretRef:
        name: passbolt-secrets-env

## Passbolt deployment parameters

service:
  # -- Configure passbolt service type
  type: ClusterIP
  # -- Annotations to add to the service
  annotations: {}
  # -- Configure the service ports
  ports:
    http:
      # -- Configure passbolt HTTP service port
      port: 80
      # -- Configure passbolt HTTP service targetPort
      targetPort: 80
      # -- Configure passbolt HTTP service port name
      name: http

Output from helm install hiper-passbolt passbolt-repo/passbolt -f ./values.old.yml --debug

install.go:218: [debug] Original chart version: ""
install.go:235: [debug] CHART PATH: /home/maj/.cache/helm/repository/passbolt-1.1.0.tgz

Error: INSTALLATION FAILED: YAML parse error on passbolt/templates/deployment.yaml: error converting YAML to JSON: yaml: line 150: found character that cannot start any token
helm.go:84: [debug] error converting YAML to JSON: yaml: line 150: found character that cannot start any token
YAML parse error on passbolt/templates/deployment.yaml
helm.sh/helm/v3/pkg/releaseutil.(*manifestFile).sort
        helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go:146
helm.sh/helm/v3/pkg/releaseutil.SortManifests
        helm.sh/helm/v3/pkg/releaseutil/manifest_sorter.go:106
helm.sh/helm/v3/pkg/action.(*Configuration).renderResources
        helm.sh/helm/v3/pkg/action/action.go:168
helm.sh/helm/v3/pkg/action.(*Install).RunWithContext
        helm.sh/helm/v3/pkg/action/install.go:304
main.runInstall
        helm.sh/helm/v3/cmd/helm/install.go:310
main.newInstallCmd.func2
        helm.sh/helm/v3/cmd/helm/install.go:156
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/cobra@v1.8.0/command.go:983
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/cobra@v1.8.0/command.go:1115
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/cobra@v1.8.0/command.go:1039
main.main
        helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
        runtime/proc.go:267
runtime.goexit
        runtime/asm_amd64.s:1650
INSTALLATION FAILED
main.newInstallCmd.func2
        helm.sh/helm/v3/cmd/helm/install.go:158
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/cobra@v1.8.0/command.go:983
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/cobra@v1.8.0/command.go:1115
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/cobra@v1.8.0/command.go:1039
main.main
        helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
        runtime/proc.go:267
runtime.goexit
        runtime/asm_amd64.s:1650

I hope someone can help :)

[dlen]

Hi @madser123

Thanks for your detailed report. I have been able to reproduce your issue. There's a mix of issues in your values.yaml and yaml limitations. You have declared app.tls.autogenerate as false. That requires app.tls.existingSecret to be defined to point to some secret in your k8s cluster. Maybe we can make the chart fail and notify the user about the requirement.

Then the chart has a bug that is not quoting correctly the defined pasboltEnv.plain.DATASOURCES_DEFAULT_HOST and passboltEnv.plain.DATASOURCES_DEFAULT_PORT. This one I have found a workaround for it defining them as follows:

passboltEnv:
  plain:
     DATASOURCES_DEFAULT_HOST: |
           "myhost"
     DATASOURCES_DEFAULT_PORT: |
           "myport"

In any case we'll release a hotfix for the quoting on numeric env vars.

[madser123]

@dlen Thank you for the quick response. It would be nice with the hotfix in the future, but the workaround is just fine for now :smile:

Out of curiosity, and because i don't quite understand the TLS setup in Passbolt, why is the TLS required through either a Secret or as autogenerated?

We have HTTPS handles by our Load Balancer in AWS, and therefore wanted to use Passbolt as HTTP only, that's why we initally omitted the TLS part.

[dlen]

No problem!

Yeah passbolt listens by default on port 443 and port 80 even if you don't want to use SSL between your ingress and passbolt because you trust your internal network.

There's some room for improvement in that area for people that just want SSL offloading, you are right. However, we don't really think you should have unencrypted connections to passbolt at all. Consider it a "procrastination for better security practices" :laughing:

[madser123]

It seems like the workaround actually doesn't quite work. I'm getting this error after deployment.

<p class="error">
            The DSN string &#039;postgres://passbolt:password@passbolt-db.hiper.dk:&quot;5432&quot;/passbolt?schema=passbolt&#039; could not be parsed.
</p>

I believe that the quotes aren't working around the port, unfortunately...

[dlen]

Yeah I think is just my workaround that is not good enough. I'll prepare a hotfix for today.

[madser123]

Sounds great. Thank you!

[dlen]

Release 1.1.1 has been published with a fix. It should work now, in any case feel free to reopen or create a new issue if there's any other scenario that requires attention.

Thanks for your report!